From e7f5ef7d83d46b9b265c8099c433201d376c7fb9 Mon Sep 17 00:00:00 2001
From: Jonathan Styles <64489881+jontyms@users.noreply.github.com>
Date: Tue, 19 Mar 2024 11:37:15 -0400
Subject: [PATCH] Added semgrep (#49)

* Added semgrep

* Skip precommit semgrep in ci
---
 .github/workflows/pre-commit.yaml |  1 +
 .github/workflows/semgrep.yml     | 34 +++++++++++++++++++++++++++++++
 .pre-commit-config.yaml           |  7 ++++++-
 requirements.txt                  |  3 ++-
 4 files changed, 43 insertions(+), 2 deletions(-)
 create mode 100644 .github/workflows/semgrep.yml

diff --git a/.github/workflows/pre-commit.yaml b/.github/workflows/pre-commit.yaml
index 0c50c65..aa75060 100644
--- a/.github/workflows/pre-commit.yaml
+++ b/.github/workflows/pre-commit.yaml
@@ -18,4 +18,5 @@ jobs:
         with:
           path: ~/.cache/pre-commit/
           key: pre-commit-4|${{ env.pythonLocation }}|${{ hashFiles('.pre-commit-config.yaml') }}
+      - run: echo "SKIP=semgrep" >> $GITHUB_ENV
       - run: pre-commit run --show-diff-on-failure --color=always --all-files
diff --git a/.github/workflows/semgrep.yml b/.github/workflows/semgrep.yml
new file mode 100644
index 0000000..64bc164
--- /dev/null
+++ b/.github/workflows/semgrep.yml
@@ -0,0 +1,34 @@
+# Name of this GitHub Actions workflow.
+name: Semgrep OSS scan
+
+on:
+  # Scan changed files in PRs (diff-aware scanning):
+  pull_request: {}
+  # Scan on-demand through GitHub Actions interface:
+  workflow_dispatch: {}
+  # Scan mainline branches and report all findings:
+  push:
+    branches: ["master", "main"]
+  # Schedule the CI job (this method uses cron syntax):
+  schedule:
+    - cron: '14 21 * * *'
+
+jobs:
+  semgrep:
+    # User definable name of this GitHub Actions job.
+    name: semgrep-oss/scan
+    # If you are self-hosting, change the following `runs-on` value:
+    runs-on: ubuntu-latest
+
+    container:
+      # A Docker image with Semgrep installed. Do not change this.
+      image: semgrep/semgrep
+
+    # Skip any PR created by dependabot to avoid permission issues:
+    if: (github.actor != 'dependabot[bot]')
+
+    steps:
+      # Fetch project source with GitHub Actions Checkout.
+      - uses: actions/checkout@v3
+      # Run the "semgrep scan" command on the command line of the docker image.
+      - run: semgrep scan --config auto
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index 940c169..cb18ef6 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -23,4 +23,9 @@ repos:
       - id: trailing-whitespace
       - id: check-merge-conflict
       - id: end-of-file-fixer
-      - id: check-toml
+  - repo: https://github.com/semgrep/semgrep
+    rev: 'v1.65.0'
+    hooks:
+      - id: semgrep
+        # See https://semgrep.dev/explore to select a ruleset and copy its URL
+        args: ['--error', '--skip-unknown-extensions']
diff --git a/requirements.txt b/requirements.txt
index 502dd52..d07ab87 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -61,7 +61,8 @@ requests==2.31.0
 requests-oauthlib==1.4.0
 requestsexceptions==1.4.0
 rsa==4.9
-s3transfer==0.10.1
+s3transfer==0.10.0
+semgrep==1.65.0
 six==1.16.0
 sniffio==1.3.1
 starlette==0.36.3